Issues with Suricata Working as IDPS

Help
,
1

Hello,

I am encountering challenges with Suricata and would greatly appreciate any assistance or tips. I have configured UFW to forward traffic to Suricata for processing based on Suricata rules, intending to use Suricata as an IDPS.

Here’s a brief overview of my setup:

System: Raspberry Pi, Raspberry Pi OS running Suricata version 6.0.10

Suricata Configuration:
    Using nfq mode with mode: accept option in suricata.yaml
    Relevant rules in /etc/ufw/before.rules to forward packets to Suricata:

-I INPUT 1 -p tcp --dport 22 -j NFQUEUE --queue-bypass
-I OUTPUT 1 -p tcp --sport 22 -j NFQUEUE --queue-bypass
-I FORWARD -j NFQUEUE
-I INPUT 2 -j NFQUEUE
-I OUTPUT 2 -j NFQUEUE

Local Rules (local.rules):

drop icmp any any -> any any (msg: "DROP ICMP REQUEST"; sid:1234; rev:1;)
drop ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:9999; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Issues:

ICMP Traffic:
    The drop ICMP rule triggers an alert in eve.json, but the action is shown as "allowed" instead of "blocked" but when I use reject on the rule, It shows as "blocked". Does that mean the 'drop' action doesnt work or something? The ping request results in "request timed out". When this rule is commented out, the same "request timed out" response occurs.
HTTP Traffic:
    The IP rule does not trigger any alert, and I am experiencing a timeout response.
    Test: curl http://testmynids.org/uid/index.html
    Response: curl: (6) Could not resolve host: testmynids.org

Despite these configurations, I’m unable to get Suricata to function as expected. ICMP requests are not being blocked correctly, and HTTP traffic seems to be blocked by something other than Suricata.

Logs:

Suricata logs do not indicate any issues related to these rules.
Tcpdump confirms that ICMP packets are reaching the Raspberry Pi.

Could anyone provide guidance on additional troubleshooting steps or point out any potential misconfigurations?

Thank you

2

Please attach the run command for Suricata, the suricata.yaml and suricata.log as well as stats.log.

3

Hello @Andreas_Herz,

Thank you for your response.

Please find in attachment the requested files.

run command and status lookup:
sudo systemctl restart suricata.service

pi@raspberry:~ $ sudo systemctl status suricata
● suricata.service - Suricata IDS/IDP daemon
     Loaded: loaded (/lib/systemd/system/suricata.service; enabled; preset: enabled)
     Active: active (running) since Tue 2024-09-10 14:06:44 EEST; 1min 0s ago
       Docs: man:suricata(8)
             man:suricatasc(8)
             https://suricata-ids.org/docs/
    Process: 22123 ExecStart=/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml -->
   Main PID: 22124 (Suricata-Main)
      Tasks: 10 (limit: 3910)
        CPU: 14.995s
     CGroup: /system.slice/suricata.service
             └─22124 /usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile >

Sep 10 14:06:44 raspberry systemd[1]: Starting suricata.service - Suricata IDS/IDP daemon...
Sep 10 14:06:44 raspberry suricata[22123]: 10/9/2024 -- 14:06:44 - <Notice> - This is Suricata >
Sep 10 14:06:44 raspberry systemd[1]: Started suricata.service - Suricata IDS/IDP daemon.

suricata.yaml (73.1 KB)
stats.log (4.0 MB)
suricata.log (12.2 KB)

4

First of all you are running Suricata 6.0 which is EOL, so upgrade to Suricata 7.0 first.

You are running in AF_PACKET mode but you have just one interface set in the af-packet section. Follow this guide for IPS mode with AF_PACKET: 15. Setting up IPS/inline for Linux — Suricata 7.0.7 documentation